Data, AI and the Future of Enterprise Risk Management

ERM Pilot | ERM Series, Part 3 of 3 by William Hord - Chief Strategy Officer
Artificial intelligence has moved from a technology curiosity to a genuine operational reality in financial services — and with that shift comes a set of questions that risk managers cannot defer. How should AI be used in risk identification and monitoring? Who governs the models that drive risk decisions? What happens when an AI system produces a biased output that affects a credit decision, a compliance flag, or a fraud alert?
Regulators are already working through these questions — though as of mid-2026, the honest answer is that the framework is being actively rebuilt, not steadily tightened, and AI specifically sits in something of a governance gap right now rather than under a strengthened rulebook.
The Regulatory Baseline on Model Risk Just Changed
For fifteen years, the Federal Reserve's SR 11-7 guidance was the foundational document on model risk management. That changed on April 17, 2026, when the Federal Reserve, OCC, and FDIC jointly rescinded SR 11-7 — along with OCC Bulletin 2011-12, FIL-22-2017, the 1997 credit-scoring guidance, and the 2021 interagency BSA/AML model statement (SR 21-8) — and replaced them with revised guidance issued as SR 26-2 and OCC Bulletin 2026-13.
The new guidance keeps the intellectual core of the old framework: models must be validated, governance must involve effective challenge, and model limitations must be understood by the people relying on model outputs. But it changes how that's applied in three ways that matter directly for this discussion:
- It is explicitly non-binding. The agencies state plainly that the guidance does not set forth enforceable standards, and non-compliance alone will not result in supervisory criticism.
- It is scoped primarily to larger institutions. The guidance is expected to be most relevant to banking organizations with over $30 billion in total assets, though smaller institutions with significant or complex model use may still find it relevant.
- Generative AI and agentic AI models are explicitly excluded from its formal scope, on the grounds that they are "novel and rapidly evolving." That's a meaningful fact for any institution deploying LLM-based tools in risk or compliance functions: the newest, most authoritative model risk guidance does not, on its face, tell you how to govern them. The agencies have signaled a forthcoming interagency request for information addressing AI-specific model risk considerations, but that hasn't been issued yet.
In practice, examiners and internal audit functions are already applying the old SR 11-7-style principles to GenAI and agentic systems "by analogy" — validation, monitoring, and governance expectations don't disappear just because a tool falls outside the letter of the new guidance. But institutions should be clear-eyed that this is a period of genuine ambiguity, not a case of AI-specific rules getting stricter. Treating SR 26-2 compliance as sufficient cover for GenAI tools would be a mistake; it wasn't written to cover them.
On the examiner side, the OCC's Spring 2026 Semiannual Risk Perspective is a useful current signal of where supervisory attention actually sits. It calls for "human-in-the-loop" accountability in AI-assisted decisioning, and names lack of explainability, data privacy, "data poisoning," and validation difficulty as open industry-wide challenges — alongside a separate warning that AI is "significantly transforming" the fraud and cybersecurity threat landscape banks face. The NCUA's 2026 Supervisory Priorities letter, meanwhile, continues to emphasize sound modeling practices, reasonable assumptions, and appropriately tiered scenarios specifically for interest rate risk and liquidity modeling — it does not yet contain a formal AI governance framework, though examiners in the field are reportedly already asking credit unions about AI use, policies, and explainability even absent a finalized rule. The pattern across agencies is consistent: formal guidance is scoped narrowly and cautiously, while informal expectations are already running ahead of it.
The fundamental tension for institutions remains straightforward: AI systems can process vastly more data and identify patterns human analysts cannot — but they can also encode historical biases, optimize for proxies that produce discriminatory outcomes, and produce confident-seeming outputs from spurious correlations. Given the current regulatory gap around GenAI specifically, the governance apparatus surrounding these tools has to be built proactively by the institution, not assumed from an existing rulebook.
Where AI Genuinely Adds Value in ERM
The clearest near-term value of AI in enterprise risk management lies in data aggregation, anomaly detection, and horizon scanning — areas where the volume of relevant signals exceeds human capacity to process them.
An AI system monitoring news feeds, regulatory updates, economic indicators, and internal risk data simultaneously can surface emerging risk signals faster than any quarterly review cycle. The FDIC's 2026 Risk Review, published in April 2026, is a good illustration of the kind of multi-variable pattern such a system should be built to catch. The headline picture for 2025 was actually one of stabilization — net interest margins improved as funding costs declined, deposits grew (led by uninsured deposits), and industry-wide unrealized securities losses fell 36% to $306 billion. But underneath that, the FDIC flagged two compounding risks worth watching together: commercial real estate concentration remains elevated, with median CRE exposure at mid-sized banks (assets between $1 billion and $100 billion) running around 300% of tier 1 capital and reserves; and bank lending to nondepository financial institutions — the fastest-growing loan segment since the 2008–2009 financial crisis — carries low direct credit risk but real indirect liquidity risk, since a downturn could trigger simultaneous drawdowns on bank-funded credit lines across the NDFI sector. Neither trend alone is alarming; the interaction between them, layered with a shifting deposit and funding mix, is exactly the kind of pattern a well-designed monitoring system can flag before it fully develops — and exactly the kind of pattern that's easy to miss if CRE, NDFI lending, and funding data live in separate reviews.
The FFIEC's IT Examination Handbook and related guidance have increasingly acknowledged the role of technology in risk monitoring, while maintaining that human judgment must remain central to risk decisions. That's consistent with where the OCC has explicitly landed as of Spring 2026: AI as a decision-support tool, surfacing signals for human review, is well within the bounds of current regulatory expectations. AI as a black-box decision-maker, replacing human judgment without explainable logic, is not — and "explainability" is now one of the specific challenges the OCC has named as an open industry problem, not a solved one.
Model Risk Governance in an AI Environment
ISACA's risk frameworks and the Institute of Internal Auditors' standards both point toward the same governance requirements for AI in risk management: clear model ownership, documented assumptions and limitations, independent validation, and ongoing performance monitoring. These aren't new concepts — they're the same principles that anchored SR 11-7 and now anchor its replacement, SR 26-2, extended to a new class of model that the formal guidance doesn't yet fully reach.
In practice, this means institutions deploying AI in their ERM programs need to:
- Document what data each model is trained on, what it's designed to predict or detect, and what its known limitations are.
- Establish independent validation processes not controlled by the teams who built or use the models.
- Monitor model outputs over time for drift — the degradation in accuracy as conditions diverge from those the model was trained on.
- Maintain the ability to explain model outputs to examiners in plain terms — a capability the OCC has specifically flagged as an industry weak point.
- Build and document governance for generative AI and agentic tools deliberately, rather than assuming SR 26-2 compliance covers them — because as written, it doesn't.
The Future State
The institutions that will have the most defensible and effective ERM programs in three to five years are building their data infrastructure now. Unified risk data repositories, API-connected systems that share data across credit, market, operational, and compliance functions, and governance frameworks that treat AI tools as model risk subjects rather than technology projects — these are the investments that will compound.
The OCC is not yet requiring AI-powered ERM, and the current model risk framework doesn't formally reach the AI tools most institutions are actually deploying. But examiners are already asking the underlying questions — can you explain it, can you validate it, is a human accountable for it — informally and in the field, ahead of any finalized rule. Institutions that treat AI governance as a technology project will struggle when the interagency RFI eventually lands. Those that treat it as a governance challenge today will be better positioned for whatever comes out of it.
ERM Pilot's platform integrates risk data across disciplines and delivers AI-assisted reporting grounded in your institution's own data — not generic templates. Start your free trial at ermpilot.com.
References
- Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Federal Deposit Insurance Corporation. SR 26-2 / OCC Bulletin 2026-13: Model Risk Management — Revised Guidance. April 17, 2026. Supersedes SR 11-7 (April 4, 2011), OCC Bulletin 2011-12, OCC Bulletin 1997-24, FIL-22-2017, and OCC Bulletin 2021-19/SR 21-8 (April 9, 2021). Available at: https://www.federalreserve.gov/supervisionreg/srletters/SR2602.htm and https://www.occ.treas.gov/news-issuances/bulletins/2026/bulletin-2026-13.html
- Office of the Comptroller of the Currency. Semiannual Risk Perspective, Spring 2026, including discussion of AI-related governance, explainability, and cybersecurity/fraud risk. May 2026. Available at: https://www.occ.gov/news-issuances/news-releases/2026/nr-occ-2026-35.html
- National Credit Union Administration. NCUA's 2026 Supervisory Priorities. Letter to Credit Unions, January 14, 2026. Available at: https://ncua.gov/regulation-supervision/letters-credit-unions-other-guidance/ncuas-2026-supervisory-priorities
- Federal Deposit Insurance Corporation. 2026 Risk Review, covering funding, interest rate, and credit risk trends observed in 2025. Published April 2026. Available at: https://www.fdic.gov/analysis/2026-risk-review
